Protect User Privacy in Internet Explorer 7.0 - 12 Dec 2007

Online interactions often involve the exchange of personal information—such as physical and email addresses, gender, credit card number and personal preferences—and you've probably wondered whether the Web site you're interacting with is really using your personal information for only the reasons you intended. For example, when you buy a book on the Internet, is the online bookstore using your address information just to ship your book or also to send you mailings based on your shopping behavior and your personal preferences (which the bookstore’s Web site has been recording)? The Web site probably has a privacy statement that might say that the site won’t use your personal information for targeted mailing campaigns—but if you did find the privacy statement, did you read this five-page small-capped document? Many Web sites don't have an easy-to-use mechanism that lets customers quickly check a site's real intentions regarding their personal information.

This is where the World Wide Web Consortium’s Platform for Privacy Preferences (P3P) Project comes in. P3P provides a quick and easy way for Web browsers to evaluate a Web site’s privacy policy. P3P lets Web site owners provide their site’s privacy policy in a format that can be automatically retrieved and interpreted by Web browsers, so users don't have to read and analyze an extensive privacy policy. P3P also lets you manage and control the cookies that a browser downloads to its file system cache. (For more information, see "Platform for Privacy Preferences (P3P) Project," at www.w3.org/p3p). Let's look at how Microsoft embedded P3P support in Microsoft Internet Explorer 7.0 and how you can use IE 7.0 to configure P3P services to provide more control over user privacy.

Interpreting Structured Privacy PoliciesP3P uses XML to express and structure privacy policies. To see an example of an XML-formatted P3P policy, take a look at AT&T’s P3P privacy policy (www.att.com/privacy/p3p2.xml). An important advantage of using a structured XML layout is that all P3P-compliant Web sites’ privacy policies are organized in the same manner so that machines can automatically interpret them and present their important points to users.

To understand P3P-formatted privacy policies, a browser must have a P3P agent. P3P agents are embedded in IE 6.0 and IE 7.0 and in Netscape Navigator 6.0, 7.0, 8.0, and 9.0. Mozilla is planning to add P3P support in a future version of the Firefox browser. (For more information about Mozilla's plans, see "The Platform for Privacy Preferences (P3P)" at www.mozilla.org/projects/p3p.)

To check whether a Web site makes available a P3P-formatted version of its privacy policy and to see how IE interprets and displays this policy, in IE 7.0 on a Windows Vista computer, select the Web Page Privacy Policy option from the Page menu. In IE 7.0 on a Windows XP computer, select the Web Page Privacy Policy option from the View menu. In IE 6.0, select the Privacy Report option from the View menu. Then, in the Privacy Report dialog box, select a Web site and click the Summary button. If the Web site has implemented a P3P policy, you should see a privacy policy summary similar to the one in Figure 1. Note that in the privacy policy you can see in IE, the P3P XML formatting is removed. The privacy policy is expressed in an easily readable format—it uses a set of questions and answers that can be understood even by the average browser user, who is typically not a privacy expert.

Cookie FilteringBrowsers use cookies to maintain user information between different browser sessions. Often they're used to let a browser remember user credentials and provide single sign-on (SSO). But cookies can also be used maliciously—for example, to gather information on your browsing or online purchasing habits. This information is then forwarded unnoticed to a third party on the Internet that leverages it for marketing purposes.

P3P lets you manage and control the cookies that a browser downloads to its file system cache. In the IE documentation, this feature is referred to as cookie filtering. To better understand how IE filters cookies and how you can influence the filtering behavior, you must understand the different cookie types a browser deals with. A cookie can be persistent or session, and it can be first party or third party.

A session cookie is a cookie that's deleted from the IE cookie cache when IE is closed.

A persistent cookie can survive from one browser session to the next; it’s deleted only when the cookie reaches its predefined expiration time or when a user explicitly deletes it.

A first-party cookie is a cookie created by the Web site whose URL the user types in the browser address bar.

A third-party cookie is created by a Web site that’s linked to a Web page a user visits, such as a Web site linked to an ad that appears on a Web page the user navigated to. For example, if you surf to Google.com and the Google Web site creates a cookie in your browser cache, this cookie is a first-party cookie. If the Google Web site contains an ad that links to the HP.com Web site, which also creates a cookie on your system, the HP cookie is a third-party cookie.

In IE, you can set your cookie-filtering preferences by cookie type, the originating Web site of a cookie, and the comfort level you feel based on the existence or non-existence of a P3P policy for a given Web site. I’ll explain how to set up these preferences in more detail below. Given these preferences, the IE P3P agent automatically allows or blocks cookies, or changes cookie properties (e.g., the P3P agent can downgrade a persistent cookie to a session cookie).

P3P gives you a visible sign if cookies are blocked for a particular Web site: A small crossed-out eye icon appears on the IE status bar, as Figure 2 shows. Double-clicking the icon brings up the Privacy Report dialog box, which summarizes the actions the browser has taken on cookies—this is the same dialog box from which you can access a Web site’s P3P privacy policy, as we saw in Figure 1.

Configuring Cookie FilteringYou can use the slider on the Privacy tab in IE’s Internet Options dialog box to adjust cookie-filtering levels. Figure 3 shows the default setting, Medium, which means that IE will block third-party cookies and restrict first-party cookies under certain conditions (e.g., if no P3P policy has been defined for a given Web site). For a detailed overview of the different levels of cookie filtering, refer to the Microsoft article “Privacy in Internet Explorer 6” ( msdn2.microsoft.com/en-us/library/ms537343.aspx).

It's important to stress that the IE cookie-filtering level you set in the Internet Options dialog box applies only to cookies generated by Web sites that are classified in IE's Internet security zone. By default, the IE P3P agent accepts all cookies of Web sites that are classified in the Local Intranet, Trusted Sites, and Local Computer security zones and blocks all cookies of Web sites that are in the Restricted Sites security zone. If you’re not familiar with the Local Computer security zone, it's a hidden zone that by default doesn't appear in the IE configuration interface. The Local Computer security zone applies to all data stored on the local machine that can be accessed from IE (with the exception of the locally cached temporary Internet files). For more information about this security zone, see the Windows IT Pro article "Using the Local Computer Security Zone" (www.windowsitpro.com/article/articleid/44962/44962.html). For a general introduction to IE security zones, see "Understanding IE Security Zones" (www.windowsitpro.com/article/articleid/43848/43848.html).

To override the IE default cookie-filtering behavior in the Internet zone—for example, to accept or block all third-party cookies—you can use Advanced Privacy Settings on the Privacy tab, which Figure 4 shows. Note that you can choose to have IE prompt you with a Privacy Alert each time a cookie is about to be downloaded to your machine. If you choose to be prompted, you'll see a Privacy Alert dialog box like the one on the left in Figure 5 when a Web site attempts to download a cookie. The Privacy Alert dialog box lets you allow or block the cookie, or view the cookie’s properties and content by clicking the More Info button, which expands the Privacy Alert dialog box (shown on the right in Figure 5). I advise you to enable the prompt option at least for a short time, simply to experience how often Web sites attempt to write cookies to your machine and to see the cookie properties (i.e., first, third-party, persistent, or session cookie) the dialog box shows and the information embedded in the cookies.

One of the things you can see at the bottom of the expanded Privacy Alert dialog box is the P3P compact policy. This is an abbreviated version of the full P3P policy that Web servers communicate to Web browsers by using a custom HTTP response header. The P3P compact policy uses codes to represent each element of the full P3P policy. In the Compact Policy box in Figure 5, ALL, for example, means that the user has access to all of his or her identifiable data, and COM means that computer information is collected. A complete list of the codes and their meaning can be found in the Compact Policies section of the P3P specification at www.w3.org/TR/P3P/#compact_policies.

You can also override the default IE cookie filtering by exempting selected Web sites so that you can always allow or block their cookies independent of the default cookie-filtering settings you set up. On the Privacy tab of the Internet Options dialog box, click Sites to bring up the Per Site Privacy Actions dialog box. In Figure 6, you can see that I always allow cookies from the Microsoft.com and HP.com Web sites. Note that the site exceptions you define in this interface are overridden if you previously set the default cookie-filtering behavior to either Block All Cookies or Accept All Cookies using the slider bar on the Privacy tab.

To ensure that your cookie-filtering configuration changes apply to all your cookies (including persistent cookies), I advise you to clear the IE cookie cache after you make a cookie-filtering configuration change. This will ensure that new persistent cookies are created that will be subject to your cookie-filtering configuration changes. To clear the IE cookie cache, go to the Internet Options dialog box's General tab. Under Browsing history, click Delete. Then click Delete cookies.

If you want to define a more fine-grained IE cookie-filtering behavior than the one described above, you can put the desired settings in a specially formatted XML file and import it into IE by using the Import button on the Internet Options dialog box's Privacy tab. This customization can be done only for Web sites that are in the Internet, Trusted Sites, or Local Intranet security zone. For more information about how to create this customized XML file, see "How to Create a Customized Privacy Import File" (msdn2.microsoft.com/en-us/library/ms537344.aspx).

In Windows domain environments, administrators can centrally enforce the IE cookie-filtering behavior on users’ desktops by using the Group Policy Object (GPO) at User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings.

Successfully Protecting PrivacyP3P is a major privacy protection initiative that's endorsed and implemented by today’s leading software vendors. (For more information about Web site P3P adoption rates, see the following reports: "An Analysis of P3P-Enabled Web Sites among Top-20 Search Results" at lorrie.cranor.org/pubs/icec06.pdf and IEEE's "P3P Adoption on E-Commerce Web sites: A Survey and Analysis" at ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4120451.) P3P’s success is also illustrated by the fact that it continues to be the basis of important research projects in the privacy area. A good example of a project leveraging the P3P fundamentals is the European Union’s PRIME Project (see https://www.prime-project.eu ).

But P3P certainly isn’t perfect either—for example, it assumes that Web sites are honest and reflect their true intentions with users’ data in their privacy policy. Despite what a Web site says in its P3P policy, there's no actual guarantee that the organization behind the Web site will act as promised. After all, P3P is about matching users’ privacy expectations with the promises made by an organization on its Web site. To enforce privacy, more is required—for example, proper privacy policy enforcement by the organization, coupled with some certification of privacy compliance by third parties. TRUSTe (www.truste.org) and the Better Business Bureau (www.bbbonline.org) offer privacy certification services for Web sites.

Microsoft was the first browser vendor to implement P3P support in IE 6.0, and it has since played a leading role in embedding other privacy protection features in its OSs and browser software. Good examples of such features are pop-up blocking (introduced in Windows XP SP2), spyware protection in Windows Defender (included in Windows Vista), and phishing protection (introduced in IE 7.0).

IE's P3P privacy policy and cookie-filtering features are two very valuable tools for enhancing users' online privacy. Unfortunately, many aren't aware of what the IE P3P features can do and how to leverage them. I hope this article gives you some ideas about how and why you should use IE’s P3P support t o better secure your users' and your own personal data online.

John Savill's Hyper-V Master Class

Join John Savill for 12 hours of comprehensive Hyper-V training. This master-level online training course will explore all the key aspects of a Hyper-V based virtualization environment covering both current capabilities in Windows Server 2012 R2 and looking at the future with Windows Server vNext.